search

splunk / attack_range

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
Apache License 2.0
2.17k stars 358 forks source link

Build halts at "change password splunk" Ansible Task #743

Closed vonn1e closed 1 year ago

vonn1e commented 1 year ago

I'm running Ubuntu 20.04.5 LTS bare metal on my local laptop. After installing VirtualBox 7, Vagrant and Poetry. After cloning the repo, I cd into attack_range, run poetry shell, modify the attack_range.yml file and run python3 attack_range.py build; however, the build keeps stopping when Ansible tries to change the Splunk Password. It also skips the first few playbooks for some reason, which I think is related. I'm not sure why this happens - it even skips after I've destroyed the range, deleted the VMs and tried to rebuild.

Any thoughts? Here's the full output below:

(attack-range-py3.8) vonnie@attack:/opt/attack_range$ python3 attack_range.py build

                          __
                        .d$$b
                      .' TO$;\
                     /  : TP._;
                    / _.;  :Tb|
                   /   /   ;j$j
               _.-"       d$$$$
             .' ..       d$$$$;
            /  /P'      d$$$$P. |\
           /   "      .d$$$P' |\^"l
         .'           `T$P^"""""  :
     ._.'      _.'                ;
  `-.-".-'-' ._.       _.-"    .-"
`.-" _____  ._              .-"

-(.g$$$$$$$b. .' ""^^T$$$P^) .(: / -" /.' /:/; ..'-'-' ")/ /;/; -.-"..--"" " / / ; .-" ..--"" -' : ..--""--.-" (\ .-(\ ..--"" -\(\/; _. : ;`- :\ ; bug

By: Splunk Threat Research Team [STRT] - research@splunk.com

2023-02-08 12:45:30,582 - INFO - attack_range - [action] > build

Bringing machine 'ar-splunk-attack-range-key-pair-ar' up with 'virtualbox' provider... Bringing machine 'ar-win-attack-range-key-pair-ar-0' up with 'virtualbox' provider... Bringing machine 'ar-win-attack-range-key-pair-ar-1' up with 'virtualbox' provider... Bringing machine 'ar-win-attack-range-key-pair-ar-2' up with 'virtualbox' provider... Bringing machine 'ar-linux-attack-range-key-pair-ar-0' up with 'virtualbox' provider... Bringing machine 'ar-kali-attack-range-key-pair-ar' up with 'virtualbox' provider... ==> ar-splunk-attack-range-key-pair-ar: Importing base box 'generic/ubuntu2004'... ==> ar-splunk-attack-range-key-pair-ar: Matching MAC address for NAT networking... ==> ar-splunk-attack-range-key-pair-ar: Checking if box 'generic/ubuntu2004' version '4.2.10' is up to date... ==> ar-splunk-attack-range-key-pair-ar: Setting the name of the VM: ar-splunk ==> ar-splunk-attack-range-key-pair-ar: Clearing any previously set network interfaces... ==> ar-splunk-attack-range-key-pair-ar: Preparing network interfaces based on configuration... ar-splunk-attack-range-key-pair-ar: Adapter 1: nat ar-splunk-attack-range-key-pair-ar: Adapter 2: hostonly ==> ar-splunk-attack-range-key-pair-ar: Forwarding ports... ar-splunk-attack-range-key-pair-ar: 8000 (guest) => 8000 (host) (adapter 1) ar-splunk-attack-range-key-pair-ar: 8089 (guest) => 8089 (host) (adapter 1) ar-splunk-attack-range-key-pair-ar: 22 (guest) => 2222 (host) (adapter 1) ==> ar-splunk-attack-range-key-pair-ar: Running 'pre-boot' VM customizations... ==> ar-splunk-attack-range-key-pair-ar: Booting VM... ==> ar-splunk-attack-range-key-pair-ar: Waiting for machine to boot. This may take a few minutes... ar-splunk-attack-range-key-pair-ar: SSH address: 127.0.0.1:2222 ar-splunk-attack-range-key-pair-ar: SSH username: vagrant ar-splunk-attack-range-key-pair-ar: SSH auth method: private key ar-splunk-attack-range-key-pair-ar: ar-splunk-attack-range-key-pair-ar: Vagrant insecure key detected. Vagrant will automatically replace ar-splunk-attack-range-key-pair-ar: this with a newly generated keypair for better security. ar-splunk-attack-range-key-pair-ar: ar-splunk-attack-range-key-pair-ar: Inserting generated public key within guest... ar-splunk-attack-range-key-pair-ar: Removing insecure key from the guest if it's present... ar-splunk-attack-range-key-pair-ar: Key inserted! Disconnecting and reconnecting using new SSH key... ==> ar-splunk-attack-range-key-pair-ar: Machine booted and ready! ==> ar-splunk-attack-range-key-pair-ar: Checking for guest additions in VM... ar-splunk-attack-range-key-pair-ar: The guest additions on this VM do not match the installed version of ar-splunk-attack-range-key-pair-ar: VirtualBox! In most cases this is fine, but in rare cases it can ar-splunk-attack-range-key-pair-ar: prevent things such as shared folders from working properly. If you see ar-splunk-attack-range-key-pair-ar: shared folder errors, please make sure the guest additions within the ar-splunk-attack-range-key-pair-ar: virtual machine match the version of VirtualBox you have installed on ar-splunk-attack-range-key-pair-ar: your host and reload your VM. ar-splunk-attack-range-key-pair-ar: ar-splunk-attack-range-key-pair-ar: Guest Additions Version: 6.1.38 ar-splunk-attack-range-key-pair-ar: VirtualBox Version: 7.0 ==> ar-splunk-attack-range-key-pair-ar: Setting hostname... ==> ar-splunk-attack-range-key-pair-ar: Configuring and enabling network interfaces... ==> ar-splunk-attack-range-key-pair-ar: Running provisioner: ansible... ar-splunk-attack-range-key-pair-ar: Running ansible-playbook... [DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks instead. This feature will be removed in version 2.16. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

PLAY [all] *****

TASK [linux_common : Upgrade all apt packages] ***** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [linux_common : Install Acl] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [linux_common : Check if a reboot is needed for Debian and Ubuntu boxes] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [linux_common : Reboot the Debian or Ubuntu server] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [linux_common : Create resolved.conf.d] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [linux_common : Disable DNSSEC] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [linux_common : Restart systemd-resolved] ***** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [linux_common : disable ubuntu autoupgrade] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : add splunk group] **** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : add splunk user] ***** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : make /opt writetable by splunk] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : checking if splunk is install] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : is splunk installed?] **** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : download splunk] ***** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : install splunk binary] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : migrate to WiredTiger] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : accept license and start splunk] ***** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : enable boot-start] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : restart splunk] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : Create folder directory for inputs configuration] **** skipping: [ar-splunk-attack-range-key-pair-ar] => (item=/opt/splunk/etc/apps/inputs_app/local/)

TASK [splunk_server : copy inputs.conf] **** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : Create folder directory for indexes configuration] *** skipping: [ar-splunk-attack-range-key-pair-ar] => (item=/opt/splunk/etc/apps/indexes_app/local/)

TASK [splunk_server : copy indexes.conf to splunk server] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : copy authorize.conf for default searchable indexes_app] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : Create folder directory for indexes configuration] *** skipping: [ar-splunk-attack-range-key-pair-ar] => (item=/opt/splunk/etc/apps/limits_app/local/)

TASK [splunk_server : copy limits.conf to splunk server] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : Create folder directory for web configuration] *** skipping: [ar-splunk-attack-range-key-pair-ar] => (item=/opt/splunk/etc/apps/system/local/)

TASK [splunk_server : copy web.conf to splunk server] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : Create folder directory for server configuration] **** skipping: [ar-splunk-attack-range-key-pair-ar] => (item=/opt/splunk/etc/apps/server_app/local/)

TASK [splunk_server : copy server.conf to splunk server] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : restart splunk] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : copy serverclass.conf to splunk server] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : include] ***** skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-microsoft-windows_840.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-timeline-custom-visualization_161.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=status-indicator-custom-visualization_150.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-sankey-diagram-custom-visualization_160.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=punchcard-custom-visualization_150.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk_attack_range_reporting-1.0.9.tar.gz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-common-information-model-cim_500.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=DA-ESS-ContentUpdate-latest.tar.gz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=python-for-scientific-computing-for-linux-64-bit_302.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-machine-learning-toolkit_531.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-security-essentials_350.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-sysmon_200.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=add-on-for-linux-sysmon_104.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-amazon-web-services-aws_520.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-microsoft-office-365_300.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-unix-and-linux_840.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=ta-for-zeek_105.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-nginx_310.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=phantom-app-for-splunk_4035.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=TA-osquery.tar.gz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-microsoft-cloud-services_433.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-crowdstrike-fdr_120.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=vmware-carbon-black-cloud_115.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=splunk-add-on-for-carbon-black_210.tgz) skipping: [ar-splunk-attack-range-key-pair-ar] => (item=TA-aurora-0.2.0.tar.gz) [DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks/import_playbook instead. This feature will be removed in version 2.16. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [splunk_server : Create folder directory for user-prefs configuration] **** skipping: [ar-splunk-attack-range-key-pair-ar] => (item=/opt/splunk/etc/users/admin/user-prefs/local/)

TASK [splunk_server : copy user-prefs.conf to splunk server] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : Create local folder directory] *** skipping: [ar-splunk-attack-range-key-pair-ar] => (item=/opt/splunk/etc/apps/DA-ESS-ContentUpdate/local/)

TASK [splunk_server : Copy new props.conf configuration] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : Copy new local.meta configuration] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : Create local folder directory] *** skipping: [ar-splunk-attack-range-key-pair-ar] => (item=/opt/splunk/etc/apps/Splunk_SA_CIM/local/)

TASK [splunk_server : copy datamodels.conf to splunk server] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : create local folder for phantom app] ***** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server : copy phantom.conf to splunk server] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Update apt-get repo and cache] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Install each and every of the dependencies that our Guacamole server will require to breath and live.] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Install FreeRDP2 (add-apt-repository)] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Update apt-get repo and cache] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Install FreeRDP] ***** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Create Tomcat system user] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Download Apache Tomcat] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Extract the tar file to the /opt/tomcat directory] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Give neccessary permissions] ***** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Copy tomcat.service file] **** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : System daemon reload] **** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Enable tomcat] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Restart tomcat] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Download Guacamole] ** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Extract the source tarball after download] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Configure and install Guacamole] ***** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : System daemon reload] **** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Enable guacd] **** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Restart guacd] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Make Guacamole directory] **** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Download Guacamole Client] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : Move .war] *** skipping: [ar-splunk-attack-range-key-pair-ar]

TASK [guacamole : link guacamole.war] ** skipping: [ar-splunk-attack-range-key-pair-ar]

PLAY RECAP ***** ar-splunk-attack-range-key-pair-ar : ok=0 changed=0 unreachable=0 failed=0 skipped=65 rescued=0 ignored=0

==> ar-splunk-attack-range-key-pair-ar: Running provisioner: ansible... ar-splunk-attack-range-key-pair-ar: Running ansible-playbook... [DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks instead. This feature will be removed in version 2.16. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

PLAY [all] *****

TASK [set_hostname_linux : Change the hostname] **** changed: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server_post : change password splunk] ***** fatal: [ar-splunk-attack-range-key-pair-ar]: FAILED! => {"msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chmod: invalid mode: ‘A+user:splunk:rx:allow’\nTry 'chmod --help' for more information.\n}). For information on working around this, see https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user"}

PLAY RECAP ***** ar-splunk-attack-range-key-pair-ar : ok=1 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Ansible failed to complete successfully. Any error output should be visible above. Please fix these errors and try again. 2023-02-08 12:46:12,039 - ERROR - attack_range - vagrant failed to build

vonn1e commented 1 year ago

I may have fixed this by setting use_prebuilt_images_with_packer: '0' in attack_range.yml